SBN

CyRC Vulnerability Advisory: CVE-2022-43945 buffer overflow vulnerabilities in NFSD

Get remediation guidance on CVE-2022-43945, which contains two vulnerabilities causing buffer handling issues in Linux Kernel NFSD implementation.

By: Aleksi Illikainen and Kari Hulkko, Synopsys Cybersecurity Research Center.

Overview

The Synopsys Cybersecurity Research Center (CyRC) has identified problems with buffer handling in the Linux kernel NFSD implementation, reported as CVE-2022-43945. The mechanism causing the problem has been in the kernel code for decades and might be exploited in diverse ways depending on the version of the kernel and NFS operation used.

NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. Historically, this approach was used to optimize memory usage when no single operation needed a large RPC message and a large RPC reply message at the same time. To achieve shared-buffer functionality, a send buffer must shrink when the received RPC message size increases.

A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data added at the end of the message. The RPC message with garbage data is still correctly formed according to the specification and is passed forward to handlers. Vulnerable code in NFSD is not expecting the oversized request and writes beyond the allocated buffer space.

While investigating the reported vulnerability, other buffer-handling issues in the NFSD code were found and fixed.

The vulnerabilities can be used for a denial-of-service attack at minimum.

Affected software

All Linux kernel versions using NFSD prior to 5.19.17 and 6.0.2.

Impact

CVSS 3.1 base score: 6.5 (Medium)
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Remediation

Relevant fixes are landing into mainline kernel with nfsd-6.1 updates.

The fixed code is included in stable kernel since versions

  • 6.0.2
  • 5.19.17

Original patches on NFSD v2/v3/v4 from NFSD and NFS/RDMA development repository

Discovery credit

Aleksi Illikainen and Kari Hulkko from the CyRC discovered these vulnerabilities by using the Defensics® fuzz testing tool.

Synopsys would like to thank the maintainers of Linux NFSD subsystem for their responsiveness and great cooperation.

Timeline

  • July 20, 2022: Initial disclosure
  • August 8, 2022: Linux Foundation confirms the vulnerability
  • September 1, 2022: Patch v3 published for NFSv2/3
  • September 26, 2022: Patch published for NFSv4
  • October 4, 2022: Patch integrated into mainline kernel
  • November 3, 2022: Advisory published by Synopsys

About CVSS

FIRST.Org, Inc. (FIRST) is a nonprofit organization based in the U.S. that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS, but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.

Stay on top of the latest in application security

Subscribe to the blog

*** This is a Security Bloggers Network syndicated blog from Application Security Blog authored by Kari Hulkko. Read the original post at: https://www.synopsys.com/blogs/software-security/cyrc-advisory-buffer-overflow-vulnerabilities-linux-kernel-nfsd/